Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst
Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.
Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
The prometheus-kube-state-metrics chart currently fails to lint
with helm3 due to an extra "-" character. This change removes
the extra dash character in order to allow us to link and build
the chart via helm v3.
Change-Id: Ice1661b8e52fb7e2293d8b03a19e8e7ad43078ca
Unrestrict octal values rule since benefits of file modes readability
exceed possible issues with yaml 1.2 adoption in future k8s versions.
These issues will be addressed when/if they occur.
Also ensure osh-infra is a required project for lint job, that matters
when running job against another project.
Change-Id: Ic5e327cf40c4b09c90738baff56419a6cef132da
Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
The current copyright refers to a non-existent group
"openstack helm authors" with often out-of-date references that
are confusing when adding a new file to the repo.
This change removes all references to this copyright by the
non-existent group and any blank lines underneath.
Change-Id: I1882738cf9757c5350a8533876fd37b5920b5235
On larger clusters the default timeout of 1s isn't enough. Use HTK to
expose settings and adjust defaults to be suitable for larger
clusters.
Change-Id: I2336c64d20fe689a5c7f22e8fbd170a27b1a1045
This patch set updates and tests the apiVersion for rbac.authorization.k8s.io
from v1beta1 to v1 in preparation for its removal in k8s 1.20.
Change-Id: I4e68db1f75ff72eee55ecec93bd59c68c179c627
Signed-off-by: Tin Lam <tin@irrational.io>
Ensures that the label selectors match the labels actually applied to
the pods, to allow network policies to be applied correctly.
prometheus-kube-state-metrics deployment:
application=kube-state-metrics
prometheus-process-exporter daemonset:
application=process_exporter
Change-Id: I964bac9e85db28c8af926158f13c99883029ac84
This updates the kubeadm and minikube Kubernetes deployments to
deploy version 1.16.2
Change-Id: I324f9665a24c9383c59376fb77cdb853facd0f18
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This adds the affinity key to the pod spec for the grafana,
nagios, kube-state-metrics, and openstack-exporter charts as it
was previously missed
Change-Id: Ifefa88d7f33607b4d595effa5fbf72f3387e5081
Signed-off-by: Steve Wilkerson <sw5822@att.com>
This PS adds emptydirs backing the /tmp directory in pods, which
is required in most cases for full operation when using a read only
filesystem backing the container.
Additionally some yaml indent issues are resolved.
Change-Id: I8b7f1614da059783254aa6efc09facf23fca3cad
Signed-off-by: Pete Birley <pete@port.direct>
This adds the release-annotation to the pod spec for the charts in
openstack-helm-infra. This also adds missing configmap annotations
to charts in openstack-helm-infra
Change-Id: Ie23f0c16a7a21d3929e98928db2bbcef69ae6490
This adds ingress network policies to kube-state-metrics and
openstack-exporter using the helm-toolikit template. It also
add openstack-exporter to the network policy jobs.
Change-Id: I3bfc2f1e8a35c09e577a046ebd52346de95e5745
This updates the kube-state-metrics chart to include the pod
security context on the pod template. This changes the pod's
user from root to the nobody user instead
This also adds the container security context to explicitly set
allowPrivilegeEscalation to false
Change-Id: I17748b299a6e7a394cae63a0e713c49fbf68b4eb
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. A follow up ps will add the ability to add arbitary
annotations to the same objects.
Change-Id: Iceedba457a03387f6fc44eb763a00fd57f9d84a5
Signed-off-by: Pete Birley <pete@port.direct>
In most cases, the ingress controller's nodeSelector key and value
are "node-role.kubernetes.io/ingress" and "true".
Using quote to treat the nodeSelector value as a string.
Change-Id: Ie1745629b90795e4d888d85f35565e6d6350e09b
This adds missing readiness probes to the following charts in
openstack-helm-infra: elasticsearch, fluent-logging, kibana,
nagios, prometheus-kube-state-metrics, prometheus-node-exporter,
and prometheus-openstack-exporter
Change-Id: I6a2635b08667c31eadb1b05ba848c658935a17e5
This changes the default image for kube-state-metrics to use the
bitnami image instead of the coreos image. This allows us to
override the image entrypoint, as the Alpine based image used
previously did not easily allow us to do so. Adding this also
makes creating a common prometheus exporter deployment template
easier, as it reduces the functional differences between exporter
charts and templates
Change-Id: I6c4aac36f563fcb15f52640bc6f9913b45b4358a
This PS moves to use the current ga version for kubernetes daemonsets,
additionally any remaining deployments that were using the
`extensions/v1beta1` have been updated to `apps/v1`.
Story: 2002205
Task: 21735
Change-Id: If9703162dc472af1e6096bf2b9062802fd5ce8ab
Signed-off-by: Pete Birley <pete@port.direct>
This updates the resources and the apigroups in the clusterrole
for kube-state-metrics to reflect the additional collectors that
are included in the image we use
Change-Id: I4b1c1779598e6488e4e1c8def18ad767d5d5fab4
This ps proposes adding a common template for the image_repo_sync
jobs for consumption by the charts
Change-Id: I48476d1e4fd94bd1b08b13b46983e3d999f8d8ca
This ps adds more granular node selectors for the charts in osh
infra to match what is currently done in osh
Change-Id: I8957a95053b9fb3ea329fd37ff049cd223a7695d
This PS simplify the logic for dyanmicly merging the image management
depenencies into pod deps when active.
Change-Id: I0cf6c93173bc5fbce697ac15be8697d3b1326d0a
This PS moves kube-state-metrics to use the endpoints section and
lookups to set the ports it serves on.
Change-Id: Icb4757a59852e508148ca9f1e682c722e40042c9
This PS moves existing dynamic common dependencies under a
'dynamic.common' key to simplify the yaml tree.
Change-Id: I4332bcfdf11197488e7bd5d8cf4c25565ea1c7b6
This PS moves static dependencies unser a 'static' key to allow
expansion to cover dynamic dependencies.
Change-Id: Ia0e853564955e0fbbe5a9e91a8b8924c703b1b02
This PS includes the release name in the cluster role to prevent
colision if the chart is deployed multiple times in the same
cluster.
Change-Id: I7166e5ee25b3d4c89879393c5f84c869585a2681
Adds "helm-toolkit.utils.merge" which is a replacement for the
upstream sprig "merge" function which didn't quite do what we
wanted, specifically it didn't merge slices, it just overrode
one with the other. This PS also updates existing callsites
of the sprig merge with "helm-toolkit.utils.merge".
Change-Id: I456349558d4cf941d1bcb07fc76d0688b0a10782
This PS is kube-state-metrics for kubernetes version 1.8.
Using kube-state-metrics:v1.2.0 image makes kube-state-
metric pod work properly. Also, gives authority to list
endpoints, persistentvolumes, and horizontalpodautoscalers
by adding them to clusterrole.
Change-Id: I705b29c321b0162740744afa8573dc6ae75bcc60
This adds checks for the fields in the service annotations for
prometheus, similar to the checks made for the pod annotations.
It also moves prometheus annotations under a prometheus: key
under a top-level monitoring tree to allow for other monitoring
mechanisms independent of the endpoints tree
Change-Id: I4be6d6ad8e74e8ca52bd224ceddad785577bf6c7
Removes an unused context declaration from the prometheus service
annotation template in helm-toolkit, and removes all references to
it
Change-Id: I57612c1504cf046f367ee10d26ef3062ebe528d3
Currently, services have two serviceaccounts: one specified in the
chart that cannot read anything, and one injected via helm-toolkit
that can read everything. This patch set refactors the logic to:
- cleanup the roles and their binding automatically when the helm
chart is deleted;
- remove the need to separately mount a serviceaccount with secret;
- better handling of namespaces resource restriction.
Co-Authored-By: portdirect <pete@port.direct>
Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
This adds the prometheus- prefix to the alertmanager,
kube-state-metrics and node exporter charts to reflect their
intended usage as part of a prometheus centric monitoring solution
This will imply a logical grouping of these components, similar to
their deployment in the osh-infra gates
Change-Id: I4f391a10b64389022f01a94ea3704c110f8f9bb5